A New batch of compromised sites are being infected with hidden iframes leading to the Redkit exploit kit. A site gets hacked and an iframe similar to this one is added::
Once that is loaded into the browser, it redirects anyone visiting the site to:
Where it tries to make the browser load some malicious PDFs or Jar files:
And if you are running an outdated version of Java or Adobe PDF, your personal computer would get compromised as well.
Seeing many sites with a fake jquery links on them from jquery-framework.com (justregistered on 2012/08/05)::
If you use jquery, make sure to link to reliable sources (either jquery.org or googleapis). This one is redirecting usersto http://browser-31.com/s/3013.
The only thing in common on them is a single login to wp-admin, followed by a visit towp-admin/theme-editor.php to modify the theme:
184.22.164.xx - - [29/Aug/2012:21:03:02 -0300] "POST ///wp-login.php HTTP/1.1" 302 - "-" ""
184.22.164.xx - - [29/Aug/2012:21:03:13 -0300] "POST //wp-admin/theme-editor.php HTTP/1.1" 302 -
184.22.164.xx - - [22/Aug/2012:21:03:16 -0300] "GET //wp-admin//theme-editor.php?file=index.php&theme=classic&scrollto=0&updated=true HTTP/1.1" 200 58188 "-" ""
So it seems someone was able to steal the wp-admin password and edit the theme. It was done automatically, since no CSS or .JS files were loaded.
Another intereting issue is that on some of these sites, we didn\’t identify any brute force attack trying to guess the passwords. Just this single login.
Since we don\’t know how these passwords got stolen, we recommend people to change their wp-admin passwords asap until we have more info (specially if you have been compromised with the rebots.php injection).